In one way or another, PsExec - a wildly popular remote administration tool in the Microsoft SysInternals Suite, peeks its head in the wild. Threat actors tend to leverage PsExec for various reasons such as executing programs on a remote host in a victim’s environment or for more nefarious reasons such as deploying ransomware. The focus of this blog is to bring attention to a relatively new method in identifying the source host in which PsExec was executed from. This is something that has caught my attention on a few IR engagements that I have worked on recently. Huge shoutout to Joseph Ziemba for first bringing this to my attention on one of our ransomware engagements we worked on together at KPMG.